Mandatory review of DOD's compliance on CMMC is delayed

The Pentagon (Photo by Ivan Cholakov / Shutterstock) 

The Defense Department has asked for more time to deliver an assessment to Congress about whether its components comply with the unified cybersecurity standard for defense contractors known as Cybersecurity Maturity Model Certification program, FCW has learned.

A provision in the 2021 National Defense Authorization Act requires DOD's CIO and the commander of the Joint Forces Headquarters-Department of Defense Information Network to review each DOD component for cyber hygiene and assess compliance with CMMC.

The report is supposed to identify a "component's CMMC level and implementation of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework," according to the legislation.

Those components that don't meet CMMC level 3 requirements, also referred to as "good cyber hygiene," will have to "implement relevant security measures to achieve a desired CMMC or other appropriate capability and performance threshold prior to March 1, 2022."

The report stemming from that review was due to Congress on March 1, but has been pushed to June, according to a Hill aide familiar with the matter.

The CMMC program, a unified standard that defense contractors handling controlled unclassified information will have to meet to bid on contracts, is expected to enter the pilot stage with select contracts later this year; full implementation for all defense contracts is planned for 2025.

"The Cybersecurity Maturity Model Certification will continue to be a focal point," for ranking member Sen. Jim Inhofe (R-Okla.) and Cybersecurity Subcommittee ranking member Sen. Mike Rounds (R-S.D.)," a spokesperson for Senate Armed Services Committee Republicans told FCW. "One area where the committee is particularly concerned is balancing the cybersecurity of the defense industrial base with making sure the burden on small- and medium-sized businesses isn't too great."

DOD has not yet responded to a request for comment.

The Defense Department is also running a separate review of supply chain and risk management programs, including CMMC, led by Stacy Cummings, DOD's acting acquisition chief.

"In light of increasingly frequent and complex cyber intrusion efforts by adversaries and non-state actors, the Department remains deeply committed to the security and integrity of the defense industrial base," DOD spokesperson Jessica Maxwell told FCW. "As is done in the early stages of many programs, the DOD is reviewing the current approach to CMMC to ensure that it is achieving stated goals as effectively as possible while not creating barriers to participation in the DoD acquisition process….This assessment will be used to identify potential improvements to the implementation of the program."

News of this internal review was first reported in FedScoop.

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

  • FCW Perspectives
    remote workers (elenabsl/

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

Stay Connected